[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] RE: Java SQL/LDAP Injections

From: "Jayaraman, Anand X." <AJayaraman@xxxxxxxxx>
Subject: [WEB SECURITY] RE: Java SQL/LDAP Injections
Date: Thu, 27 Apr 2006 09:24:10 -0400

Andy:

   For LDAP Injection.

   Call the following method before calling LDAP code inside checkUser()

public static bool isUsernameValid(string username) {
RegEx r = new Regex("^[A-Za-z0-9]{16}$");
return r.isMatch(username);
} 


This validate your input and help prevent an injection.


Anand

-----Original Message-----
From: Andres Molinetti [mailto:andymolinetti@xxxxxxxxxxx] 
Sent: Wednesday, April 26, 2006 1:26 PM
To: websecurity@xxxxxxxxxxxxx
Cc: webappsec@xxxxxxxxxxxxxxxxx
Subject: Java SQL/LDAP Injections

Dear list,

I am working on some Java code reviews and was looking for injection vectors that may apply on it.

Take for example the following code:

---------------------
public User getUsers(String userID) {
...
NamedQuery query = new NamedQuery(User.class, "user.view.by.id "); Map parameters = new HashMap(); parameters.put("userid", userID); query.setParameters(parameters); List list = Repository.select(query); ...
}
----------------------


That piece of code interacts with Hibernate to get a list of user objects with that ID from a relational DB. Here is the extract of the HBM mapping
file:

--------------------
<property name="userID" type="string" length="15" column="USER_ID"/> ....
<query name="user.view.by.id"><![CDATA[
from com.test.user as userX
where userID = :userid
]]>
</query>
--------------------

I am wondering if this represents vulnerable code, exploited by, for example, calling getUsers("' or '1'='1") or something of the sort.

Second, suppose the application interacts with an LDAP server, using the following code:

------------------------------------
public boolean checkUser(String userID) {

           boolean result = false;
           Attributes srchAttrs = new BasicAttributes(true);
           String [] resAttrsID = {"uid"};

           searchAttrs.put("uid", userID);
           Enumeration srchResults = null;

           srchResults = ctx.search(LDAP.getBranch(), srchAttrs, resAttrsID);
           if((srchResults != null) && ( srchResults.hasMoreElements() ==
true))
               result = true;

           result = false;

}
------------------------------------

Is this function vulnerable to LDAP Injection?

Looking foward to reading your opinions....

Andy.

_________________________________________________________________
Moda para esta temporada. Ponte al día de todas las tendencias. 
http://www.msn.es/Mujer/moda/default.asp


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Prev by Date: RE: [WEB SECURITY] another good guy is charged
Next by Date: RE: [WEB SECURITY] another good guy is charged
Previous by thread: [WEB SECURITY] another good guy is charged
Next by thread: [WEB SECURITY] adding a java script from a different domain
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site